CVE-2026-27730
HIGHesm.sh <= 137 - DNS Alias Server-Side Request Forgery
Title source: manualDescription
esm.sh is a no-build content delivery network (CDN) for web development. Versions up to and including 137 have an SSRF vulnerability (CWE-918) in esm.sh’s `/http(s)` fetch route. The service tries to block localhost/internal targets, but the validation is based on hostname string checks and can be bypassed using DNS alias domains. This allows an external requester to make the esm.sh server fetch internal localhost services. As of time of publication, no known patched versions exist.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://github.com/esm-dev/esm.sh/security/advisories/GHSA-p2v6-84h2-5x4r
Scores
CVSS v3
7.5
EPSS
0.0034
EPSS Percentile
25.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-918
Status
published
Products (2)
esm/esm.sh
< 137
esm-dev/esm.sh
0 - 0.0.0-20250616164159-0593516c4cfaGo
Published
Feb 25, 2026
Tracked Since
Feb 25, 2026